What 45 Days of Watching Your Own Tools Will Tell You About Your Real Attack Surface The Hacker News May 15, 2026 Endpoint Security / Threat Detection Your Biggest Security Risk Isn't Malware — It's What You Already Trust , we made a simple argument: the most dangerous activity inside most organizations no longer looks like an attack. It looks like administration. PowerShell, WMIC, netsh, Certutil, MSBuild — the same trusted utilities your IT team uses every day are also the preferred toolkit of modern threat actors. Bitdefender's analysis of 700,000 high-severity incidents found legitimate-tool abuse in 84% of them . The reaction we heard most was a fair one: We know. So what do we actually do about it? That's what Bitdefender's complimentary Internal Attack Surface Assessment
is built to answer. It's a 45-day, low-effort engagement available to organizations with 250 or more employees that turns the abstract problem of "living off the land" into a specific, prioritized list of users, endpoints, and tools you can safely take away from attackers without breaking the business. Why This, Why Now A clean Windows 11 install ships with 133 unique living-off-the-land binaries spread across 987 instances.
Bitdefender Labs telemetry found PowerShell active on 73% of endpoints , much of it invoked silently by third-party applications. This isn't a malware problem — it's an over-entitlement problem, and you can't patch your way out of it. Gartner now projects that preemptive cybersecurity will account for 50% of IT security spending by 2030, up from less than 5% in 2024 , and that 60% of large enterprises will adopt dynamic attack surface reduction (DASR) technologies by 2030, up from less than 10% in 2025 .
The reason is mechanical: when most intrusions involve no malware and adversaries move in minutes, "detect and respond" is too slow a loop. You have to remove the moves attackers can make in the first place. How the Assessment Works The engagement runs in four steps over roughly 45 days, powered by GravityZone PHASR — Bitdefender's Proactive Hardening and Attack Surface Reduction technology — and sits alongside whatever endpoint stack you already run: Kickoff and behavioral learning.
PHASR builds behavioral profiles for every machine-user pair, typically over 30 days. Attack Surface Dashboard review. You receive an exposure score (0–100) and a prioritized list of findings across five categories: living-off-the-land binaries, remote admin tools, tampering tools, cryptominers, and piracy tools — each mapped to the specific users and devices they affect. Optional reduction sprint. Apply controls manually or let PHASR's Autopilot enforce them.
Users can request access back through a built-in one-click approval workflow. Reduction review. A final session quantifies how much surface you've shrunk and what shadow IT and unauthorized binaries surfaced along the way. Early-access customers have reduced their attack surface by 30% or more in the first 30 days , with one reporting close to by locking down LOLBins and remote tools — without investigation overhead or end-user disruption.
What It Means for Different Stakeholders For the CISO: a defensible, board-ready exposure number that moves week over week, mapped to behaviors attackers actually use. For the SOC and IT admin: up to 50% less investigation and response workload , because entire classes of suspicious-but-legitimate behavior simply don't occur on endpoints that don't need them. For the business decision-maker: documented, ongoing surface reduction — increasingly what regulators, auditors, and cyber-insurers want to see.
Start Where the Attackers Already Are The previous article ended on a principle: the most significant risks are no longer external or unknown — they're already inside your environment. This one ends on a practice: you can have a precise, prioritized map of those risks within 45 days, at no cost, without changing your existing stack. If you run a Windows-heavy environment with 250 or more users, request your Internal Attack Surface Assessment here .
Compromises will keep happening. Whether one becomes a breach depends almost entirely on what an attacker can reach once they're in. The fastest way to shorten that list is to look at it. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter LinkedIn to read more exclusive content we post. Tweet Share Share Share Attack Surface , Bitdefender , cybersecurity , endpoint security , GravityZone , Living off the Land , powershell , Threat Detection ⚡ Top Stories This Week 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign Trellix Confirms Source Code Breach With Unauthorized Repository Access ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE and More Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution The Hacker News Launches 'Cybersecurity Stars Awards 2026' — Submissions Now Open ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise 2026: The Year of AI-Assisted Attacks Day Zero Readiness: The Operational Gaps That Break Incident Response We Scanned 1 Million Exposed AI Services.
Here's How Bad the Security Actually Is ⭐ Featured Resources [Webinar] Learn How Autonomous Validation Keeps Pace With AI Attacks [Guide] Get Practical AI SOC Insights to Improve Threat Detection [Demo] Discover How to Control Autonomous Identity Risks Effectively [Demo] Stop Email Attacks and Protect Cloud Workspace Data Faster Cybersecurity Webinars Building Stronger Defenses Stop Patient Zero Attacks Before They Bypass Detection Learn how to stop patient zero attacks before they bypass detection and compromise your systems at entry points.
Register Reduce AppSec Risk Validate Real Attack Paths Before Attackers Exploit Them Learn how to validate real attack paths and reduce exploitable risk with continuous agentic security validation. ⚡ Latest News Cybersecurity Resources Build Security Strategy That Earns Executive Buy-In — SANS LDR514, NYC SANS LDR514 in NYC, Aug 10–15: policy, risk frameworks, board communication, and strategic leadership.
Your VPN is Helping Attackers Move as Fast as AI AI collapsed human response window and turned remote access into fastest path to breach. Earn a Master's in Cybersecurity Risk Management Lead the future of cybersecurity risk management with an online Master’s from Georgetown. Expert Insights Articles Videos From Phishing to Recovery: Breaking the Ransomware Attack Chain May 04, 2026 Read ➝ Mythos is Coming: What the Next Six Months Require Your Biggest Security Risk Isn’t Malware — It's What You Already Trust CTM360 Exposes Global GovTrap Campaign With 11,000+ Fake Government Portals Targeting Citizens Worldwide April 27, 2026 Get the Latest News in Your Inbox Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.